BREAKINGBy Xavier Rivera· ·1.5 min read
Germany Names REvil and GandCrab Ransomware Leaders
German Federal Police identify Denis Postov and Aleksandr Ermakov as leaders of REvil and GandCrab ransomware operations from 2019-2021. The move advances accountability for cybercrime kingpins, potentially disrupting ongoing threats through international sanctions and arrests.
Source:BleepingComputer
German Federal Police unmask two Russian nationals as the masterminds behind REvil and GandCrab, two ransomware strains that extorted hundreds of millions from victims worldwide between 2019 and 2021.
REvil, also known as Sodinokibi, peaked with attacks like the 2021 Kaseya supply chain breach that crippled 1,500 companies across 17 countries. GandCrab, active from 2018 to 2019, reportedly raked in $2 billion in ransoms through affiliate-driven campaigns. The BKA's identification—detailed in a recent report—pins Denis Postov and Aleksandr Ermakov as the operational leaders, leveraging blockchain analysis and international tips to connect their real-world identities to dark web personas.
This breakthrough pierces the anonymity shield ransomware groups rely on. Russian cybercriminals have long operated with impunity, shielded by geopolitical tensions that hinder extradition. Now, concrete attributions could enable asset seizures or prosecutions via allies like the U.S., which already sanctioned REvil affiliates post-Kaseya.
For enterprises, the news underscores evolving defenses. Ransomware-as-a-service models like REvil's empowered thousands of affiliates; dismantling leadership disrupts recruitment and morale. Microsoft, hit repeatedly, enhanced Azure Sentinel and Defender integrations in response—tools that now flag similar tactics earlier.
Law enforcement momentum builds. The REvil gang shuttered after U.S. pressure in 2021, but remnants persist. Expect Interpol Red Notices and collaborative ops targeting laundering networks, signaling to copycats that evasion grows riskier.
**Expert Take:** M365 admins should audit EDR logs for GandCrab-style encryptors and enable multi-stage Defender alerts, as these attributions reveal persistent Russian IOCs still active in phishing kits.
REvil, also known as Sodinokibi, peaked with attacks like the 2021 Kaseya supply chain breach that crippled 1,500 companies across 17 countries. GandCrab, active from 2018 to 2019, reportedly raked in $2 billion in ransoms through affiliate-driven campaigns. The BKA's identification—detailed in a recent report—pins Denis Postov and Aleksandr Ermakov as the operational leaders, leveraging blockchain analysis and international tips to connect their real-world identities to dark web personas.
This breakthrough pierces the anonymity shield ransomware groups rely on. Russian cybercriminals have long operated with impunity, shielded by geopolitical tensions that hinder extradition. Now, concrete attributions could enable asset seizures or prosecutions via allies like the U.S., which already sanctioned REvil affiliates post-Kaseya.
For enterprises, the news underscores evolving defenses. Ransomware-as-a-service models like REvil's empowered thousands of affiliates; dismantling leadership disrupts recruitment and morale. Microsoft, hit repeatedly, enhanced Azure Sentinel and Defender integrations in response—tools that now flag similar tactics earlier.
Law enforcement momentum builds. The REvil gang shuttered after U.S. pressure in 2021, but remnants persist. Expect Interpol Red Notices and collaborative ops targeting laundering networks, signaling to copycats that evasion grows riskier.
**Expert Take:** M365 admins should audit EDR logs for GandCrab-style encryptors and enable multi-stage Defender alerts, as these attributions reveal persistent Russian IOCs still active in phishing kits.
EXPERT TAKE
M365 admins: Prioritize blockchain-derived IOCs from REvil/GandCrab in Defender threat intel feeds to block affiliate remnants targeting OneDrive shares.
cybersecurityransomwareREvil